Technology and Cybersecurity Incident Reporting: New Guidance from OSFIThe Office of the Superintendent of Financial Institutions (OSFI) just published an advisory letter for federally regulated financial institutions (FRFI). The advisory sets out OSFI's expectations for FRFI cybersecurity incident reporting, gives examples of incidents that should be reported to OSFI, and sets out reporting requirements. It will become effective March 31, 2019. What Is a Technology or Cybersecurity Incident?For the purpose of the advisory, a technology or cybersecurity incident is defined "to have the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information." When Does a Technology or Cybersecurity Incident Have to Be Reported to OSFI?The following characteristics may make an incident reportable:
Some examples of reportable incidents include:
How, What, and When must an FRFI report?A FRFI must notify its Lead Supervisor and TRD@osfi-bsif.gc.ca as promptly as possible, but no later than 72 hours after determining that an incident is reportable. The advisory sets out a list of specific information that must be included in the initial report, such as a description of the incident that covers the date and time, type, severity, direct and indirect impacts, origination, number of clients impacted, root cause, current status, and mitigation steps taken. OSFI also expects FRFIs to provide regular updates as new information becomes available, and until all material details about the incident have been provided. Finally, the FRFI will also need to send a post-incident review and "lessons learned" report to OSFI after the incident is closed. Pre-Incident PreparationsFRFIs should incorporate the requirements of the advisory into their Incident Response Plan. Testing how the organization would react to a reportable incident (through a tabletop exercise or other simulation) is a key component to ensuring that when an attack happens, the FRFI is ready to comply with its obligations. In advance of an attack, FRFIs should also consider how the reporting obligations under this advisory may impact other regulatory reporting and notification obligations. If you would like further information or advice in respect of this advisory, or in respect of other cybersecurity matters, please contact Ruth Promislow or Kate Rusk. Authors
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs. For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com. |